Too Much Spam, Not Enough Identification

Lots of good stuff yesterday at the Meltdown conference. Rather than summarize it all, let me give you two random observations about the discussion.

The security session descended into a series of rants about the evil of spam. Lately this seems to happen often in conference panels about security. This strikes me as odd, since spam is far from the worst security problem we face online. Don’t get me wrong; spam annoys me, just like everybody else. But I don’t think we’ll make much progress on the spam problem until we get a handle on more fundamental problems, such as how to protect ordinary machines from hijacking, and how to produce higher-quality commercial software.

Another interesting feature, noted by Michael Froomkin, was the central role of identification technologies in the day’s discussions, both in diagnoses of Internet policy problems, and in proposed solutions. When the topic was spam, people liked technologies that identify message senders; but on other topics, identification was considered harmful. I hope to see more discussion about identification at the conference. (I’ll have another posting on online identification later this week.)

[Susan Crawford has an interesting summary of yesterday’s discussion. She says I was “wise in the hallways”, whatever that means.]

Comments

I think one of our largest problems in producing secure software is a lack of demand for such software from customers. Most security problems either don’t annoy the customer much or have their cause blamed on something other than the insecure software (i.e., people buying new computers when spyware has slowed down their current machines because they blame the slowness on the machine, not the software, much of which is invisible to them.) I’ve talked to many computer users who actually like the idea of rebooting, expressing a wish that they could fix problems with other machines that they owned in the same way. Computer crashes and malware rarely destroy much data for ordinary consumers, so there’s too little annoyance to create a demand for more reliable and secure software.

On the other hand, spam is a visible annoyance that not only impacts almost everyone, but also which can’t be blamed on anything but spam senders taking advantage of insecure email systems. In the present environment, spam is a larger annoyance to most people than either malware or crackers. Perhaps that will change with time, or perhaps we can use the annoyance of spam as a way to convince users of a general need for software security.

Ed Felton reports from yet-another “we gotta do something about the Internet but we don’t know what” conference: When the topic was spam, people liked technologies that identify message senders; but on other topics, identification was considered harmfu…

The Interent as many have known it will collapse under the weight of its own contradictions.

Whether this is good or bad depends on one’s perspective.

Take the open email infrastructure and the resulting problems of unsolicited bulk email, email fraud and forgery, along with the malicous spread of viruses, trojan horses and worms.

At one time, the Internet was like a small village. Today, it is like a megalopolis.

We need some major infrastructure work, an agreement on basic social behavior, along with bright lines and tough enforcement for email to remain a viable communication medium and marketing channel.

In making the needed changes, compromises will have to be made, certain perceived freedoms foregone and other freedoms gained.

To make it all work will require a lot of effort, goodwill, a bit of luck and a willingness to learn from our mistakes.

What will emerge? Sender authentication, if put together properly will help to control acts of abusive email behavior, such as spoofing.

To get their message delivered, marketers will have to move to verified opt-in with prior disclosure.

We will put some basic controls in place.

The struggle between those who wish to abuse freedom and those who want to secure it will continue.

As to the rest? Enjoy the show. Its all a part of the crazy circus we call life.

John Glube
Toronto, Canada

Freedom to Tinker is hosted by Princeton's Center for Information Technology Policy, a research center that studies digital technologies in public life. Here you'll find comment and analysis from the digital frontier, written by the Center's faculty, students, and friends.